06-16-2015 04:45 AM - edited 03-11-2019 11:07 PM
Hi, I cannot understand why ACL does't match packets from PCs 192.168.8.2 or 192.168.8.3, but it matches 192.168.8.1(fa0/1).
In Wiresahrk I see source 192.168.8.2 when I run ping 192.168.176.58 from 192.168.8.2. However, it must be 213.70.2.2
By the way, I tried to set static NAT that worked fine, but it is not what I want.
interface FastEthernet0/0
ip address 213.70.2.2 255.255.255.252
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.8.1 255.255.248.0
ip nat inside
duplex auto
speed auto
!
ip nat pool pool1 213.70.2.2 213.70.2.2 netmask 255.255.255.252
ip nat inside source list 1 pool pool1 overload
!
access-list 1 permit 192.168.8.0 0.0.7.255 log
Router#ping 192.168.176.58 source 192.168.8.1
Router#sh ip nat tr
Pro Inside global Inside local Outside local Outside global
icmp 213.70.2.2:4 192.168.8.1:4 192.168.176.58:4 192.168.176.58:4
Router#
Router#trace 192.168.176.58 source 192.168.8.1
Type escape sequence to abort.
Tracing the route to 192.168.176.58
1 213.70.2.1 0 msec 0 msec 4 msec
2 192.168.176.58 0 msec 0 msec 4 msec
Router#
06-19-2015 12:34 AM
Try using a named standard access list instead.
Your example converted
ip nat inside source list nat-source pool pool1 overload
ip access-list standard nat-source
permit 192.168.8.0 0.0.7.255
My output
Pro Inside global Inside local Outside local Outside global
icmp 213.70.2.2:24 192.168.8.2:24 213.70.2.1:24 213.70.2.1:24
icmp 213.70.2.2:25 192.168.9.1:25 213.70.2.1:25 213.70.2.1:25
Additional
if you only want to use the interface address, consider the following instead:
ip nat inside source list nat-source interface fa0/0
06-19-2015 12:46 AM
thanks!
However, I managed to do this in this way:
ip nat pool pool213 213.70.2.2 213.70.2.2 prefix-length 30
ip nat inside source route-map isp1 pool pool213 overload
access-list 101 permit ip 192.168.8.0 0.0.0.255 any
route-map isp1 permit 10
match ip address 101
match interface FastEthernet0/0
It is pretty weird, but thanks god it works.
06-23-2015 09:43 PM
Hi,
I do agree with Dasthomp, log keyword is not supported with nat acl, if you revert your original configuration back by removing the log keyword at the end of acl 1 you will be good to go.
Regards | Aref.
06-19-2015 07:41 AM
Last I check the use of the 'log' statement is not supported with NAT.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: